Last week, California enacted bills SB 1177 and AB 1584, strengthening student privacy protections in the State.
SB 1177 prohibits operators of online sites or mobile apps who know that their services are used primarily for K-12 school purposes and whose services designed and marketed as such (“operators”) from using K-12 student data in four specific ways. First, SB 1177 prohibits operators from engaging in targeted advertising on any website or mobile app (including their own) if the advertising would be based on any information obtained from the operations of its K-12 online site or mobile app. Second, SB 1177 prohibits operators from using information obtained from the operations of the K-12 online site or mobile app to create a “profile” about a K-12 student, unless the profile is created in furtherance of K-12 school purposes. Third, operators are prohibited from selling a student’s information. And, fourth, SB 1177 prohibits operators from disclosing personally identifiable information, unless certain special circumstances exist, such as responding to or participating in judicial process.
In addition to the four prohibitions listed above, SB 1177 places two affirmative requirements on operators. The bill requires that operators “[i]mplement and maintain reasonable security procedures and practices” appropriate to the information protected, and to specifically protect the information from “unauthorized access, destruction, use, modification, or disclosure.” In addition, SB 1177 requires operators to delete personally identifiable information regarding a K-12 student upon request by a school or school district.
AB 1584 addresses the access and use of K-12 student data by third party vendors. AB 1584 explicitly permits local educational agencies to enter into contracts with third parties to provide online services relating to management of pupil records or to otherwise access, store, and use pupil records in the course of performing contractual obligations.The bill goes on to direct that contracts with such third parties contain certain provisions, the effect of which is to require the following:
- Pupil records be the property of and under the control of the educational agency
- Pupils retain possession and control of their content
- Legal guardians or the pupils have the ability to review and/or correct personally identifiable information
- Third parties not retain pupil records beyond the terms of the contract
- Third parties not use pupil record information for purposes beyond those specified in the contract
- Third parties not use personally identifiable pupil record information to engage in targeted advertising
- Third parties ensure the security and confidentiality of the records
- Third parties notify legal guardians or the pupil in the event of an unauthorized disclosure
- Third parties and local educational agencies must work together to ensure compliance with the federal Family Educational Rights and Privacy Act
Where a contract does not contain the required provisions, if the contract is not amended to comply within a reasonable period of time after notice of deficiency, AB 1584 provides that the contract will be rendered void.
While existing federal and California laws already safeguard student data, SB 1177 and AB 1584 prescribe additional requirements and specific prohibitions regarding the access, use, and management of such data to strengthen K-12 student data protections in California.